Tracking is a GDPR violation

Sending any personally identifiable information to a third-party service requires explicit consent from the user under the GDPR. An opt-out flag is not enough, you need to ask up front if you have permission to do so, and you have to make it a meaningful and informed choice.

Anonymized tracking for statistics is not considered PII under the GDPR. Almost every site tracks user behavior in some form but none of them ask for your permission if you browse the site anonymously without signing up for an account. All they do is annoy you with useless information about cookies.

Almost every site shoves the tracking down your throat if you want to sign an account. Don’t agree to the ToS? Too bad, no account for you. On Danbooru, you can sign up and opt out of tracking, so here it’s better than pretty much everywhere else.

DMs would be subject to the GDPR, but those are never sent to third parties.

Who cares. EU will only go after companies with $$$ if they break GDPR.

Personally I've never been big enough on the web [ = had enough visitors ] to bother with tracking, and even then I simply don't care whether people visit my sites or not; but under GDPR any site can track / check any visitor, including IPs, which may be kept, because otherwise whom would they know whom to ban ?

.

Corporate American media --- e.g. the sad old capitalist dementos who collectively lost their goddamn minds at being disobeyed in the 2016 election --- is amusingly still butt-hurt over GDPR, and half a year later still sends out a flurry of deceptive and cheating notices to Europeans, to try and keep personalised advertising on their sites ( which hysteria at having their profits compromised oddly enough is not done by Asian or any non-American corporate sites ).

Sites can use advertising; but have to allow one to turn personalised advertising off; only continuing the latter without explicit consent breaks GDPR; and I should argue it has been allowed to keep necessary PII --- such as sign-up email addresses --- as long as they are needed ( which is as long as the website lasts ). Pure tracking is not a violation if no PII is involved.
.

https://moz.com/blog/gdpr-and-online-marketing.

.

And if a visitor clearly consents to cookies they are legitimately in the system.

If tracking data is collected that allows an individual to be identified – by their IP address for example – consent must be obtained.

https://www.hipaajournal.com/make-a-website-gdpr-compliant/

But IS the data actually anonymised enough to not count as PII? That is not at all clear, as information that can be linked back to you with a reasonable amount of data mining still counts as PII, and tracking data can easily fall into that category.